Tuesday, January 29, 2008

The percentage of people using plastic money (cards) for transactions is growing day by day and so are the card scams rising along. We often hear or read about credit card frauds in our daily and how people end up in nightmares seeing huge bills for things they actually have never purchased. Likewise even the credit card companies are paying off handsome amount from their profit share to cover these fraudulent transactions.

Let me bring up few ways in which these frauds happen. By and large for physical credit card transactions, the deception story starts when the person who takes your card for swipe copies your card information to some other device. Later these details are copied to fake cards which are genuine card look alike with complete hologram markings and logos. The poor card holder remains completely unaware that his card has been cloned until he notices bill amounts of things he has never purchased. One of the other common methods is making a hoax call (often representing as card issuer authority) to the card holder and trying to retrieve card details. Credit card bills lying in trash cans or public places are other avenues where fraud originates.

Regarding users using cards for online transactions, one can see a large number of ways in which card data can be compromised. Falling in prey of a nice email asking for card details in return of discounts, or emailing card details to a friend or being a victim of card details being copied by an illegal software installed in cyber cafes are most common lines of attack sources.

One of the reasons in increasing successful frauds is inadequate knowledge of the card owner on proper use of credit cards. Here’s how credit card owners can better safeguard from these frauds.• Over a credit card transaction, keep an eye on your card as it is being swiped. Make sure it is being swiped only once for a single successful transaction and get back your card as quickly as possible.• Sign your credit card as soon as you receive it.• Be protective of your credit card number so that others around you can't copy it or capture it on a cell phone or camera.• Be prompt in keeping a check on your credit card bills to verify there are no bogus charges. For any charges that you don’t recognize, report these charges promptly to the card issuer.• For people using cards at hotels or restaurants, remember to draw a line through blank portions of the receipt where additional charges could be fraudulently added other than hotel tips.• In case of change of your billing address, notify your credit card issuers in advance so that bills reach safe hands.• Save your receipts so you can compare them with your monthly bills.• Always give your phone number to the company for verification of suspicious transactions.• Be wary of any phone call or email seeking details of your account.• Never give away photocopies of both sides of your credit card for any purpose.• For online transactions, using credit card, remember to go by HTTPS and not HTTP.• Avoid having e-transactions in a publicly share machine like Internet café or open free wireless network.

Wednesday, January 09, 2008

Banks today are increasingly getting introduced to a number of security threats. The ones in headlines have been Phishing, Key Logging and Man-in-the-Middle. We will find a number of online banking users who are naïve to this kind of technology and the threats associated with it. It is necessary to help them understand the precautions they must take to prevent being a victim of online theft.

Consumer education becomes a key element to prevent the manifestation of a number of risks into frauds. It is much easier for the experienced eyes of an internet-savvy user to detect potential phishing attempts when compared with a customer who has recently migrated from old school of banking to more recent modes.

On a happy note, there are solutions in the market to tackle problems of phishing, key loggers and man-in-the-middle attacks. But these are expensive solutions and not full proof.

Business Security Buy-In: Given the customer base or other reasons, it has not been easy for the banks to justify investing in secure solutions for online banking. In fact, many banks are willing to compensate for the fraud losses of the customers as they find it more cost effective than putting up a secure solution.

Security Challenges: Banks have to continuously evaluate the risks, cost of technology solutions and even upgradations. .It gets all the more challenging due to a variety of technological solutions available in the market, each addressing individual problems but none offering a one-stop solution.

Tuesday, January 08, 2008

A dangerous cyber practice known as Typo-Squatting is in spotlight again. Attackers or Typo-squatters register domains using common misspellings of popular brands, products, and people in order to redirect consumers to alternative websites.

Should a user accidentally enter an incorrect website address, they may be led to an alternative website owned by a cybersquatter. If the intended website is "example.com"

A common misspelling, or foreign language spelling, of the intended site: exemple.com

A misspelling based on typing errors: xample.com or exxample.com

A differently phrased domain name: examples.com

A different top-level domain: example.org

Once in the typo-squatter's site, the user may be tricked into thinking that they are in fact in the real site; through the use of copied or similar logos, website layouts or content.

About Me

He is involved in Application Security Consulting and establishing App Security across SDLC. He also conducts security workshops for the developer community. Besides interest in App Security, he likes Performance Testing and tuning of web applications.